<?php
require './confg.php'; 

$isAdmin=false;
if (isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
  $result = mysqli_query($con,"SELECT password FROM members where username='$_COOKIE[username]'") or die(mysqli_error($con));
  $rowdata = mysqli_fetch_array($result);
  if ($_COOKIE['password'] !=  $rowdata['password']) {    
    header('Location: login.html');
  } else if($_COOKIE['username']=="admin"){
    $isAdmin=true;
  }
} else {
  header('Location: login.html');
}

if (mysqli_connect_errno())
{
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

//backbar=&banner=&body=&byline=&footer=&innerbody=&contbdylft=&contbdyright=&contbdylower=&contfooter=&contbyline=
if( isset($_POST[owner]) 
  && isset($_POST[body]) 
  && isset($_POST[backbar]) 
  && isset($_POST[banner])
  && isset($_POST[byline])
  && isset($_POST[footer])
  && isset($_POST[innerbody]) 
  && isset($_POST[contbdylft])
  && isset($_POST[contbdyright])
  && isset($_POST[contbdylower]) 
  && isset($_POST[contfooter]) 
  && isset($_POST[contbyline]) ){

  $sql2="INSERT INTO graphics 
(owner,
  body, 
  backbar,
  banner,
  byline,
  footer,
  innerbody,
  contentbodyleft,
  contentbodyright,
  contentbodylower,
  contentfooter,
  contentbyline) VALUES 
('".addslashes($_POST['owner'])."','".
  addslashes($_POST['body'])."','".
  addslashes($_POST['backbar'])."','".
  addslashes($_POST['banner'])."','".
  addslashes($_POST['byline'])."','".
  addslashes($_POST['footer'])."','".
  addslashes($_POST['innerbody'])."','".
  addslashes($_POST['contbdylft'])."','".
  addslashes($_POST['contbdyright'])."','".
  addslashes($_POST['contbdylower'])."','".
  addslashes($_POST['contfooter'])."','".
  addslashes($_POST['contbyline'])."')";


if(!mysqli_query($con,$sql2)) {
  die('Error: '.mysqli_error($con)) ;
}
mysqli_close($con);
header('Location: admin.php');
}

if(isset($_POST['delete']) && isset($_POST['users']) && $isAdmin){
  if($_POST['delete']=="yes"){
   if($_POST['users']=="admin"){
     echo "500"; //Unable to delete admin account
   }else{
    $result = mysqli_query($con,"DELETE FROM members where username='$_POST[users]'") or die(mysqli_error($con));
    if(! $result )
    {
      die('Unable to delete the user: ' . mysql_error());
    }
    mysqli_close($con);
    echo "100";  //success
  }
}
}

$exists = false;
if(isset($_POST['add'])  && $isAdmin && isset($_POST['user']) && isset($_POST['pass']) && isset($_POST['cpass']) ){
  if($_POST['add']=="yes"){
   if($_POST['user']=="admin"){
     echo "777"; //Admin account already exists
   }else if($_POST['pass']==$_POST['cpass'] ){
    $result = mysqli_query($con,"SELECT username FROM members") or die(mysqli_error($con));
    while($rowdata = mysqli_fetch_array($result)){
      if($rowdata['username']==$_POST['user']){
        echo "200"; //Username Already Exists
        $exists = true;
        break;
      }
    }

    if(!$exists){
      $adduser_query="INSERT INTO members (username, password) VALUES ('".$_POST['user']."','".md5($_POST['pass'])."');";
      if(!mysqli_query($con,$adduser_query)) {
        //die('Error: '.mysqli_error($con)) ;
      }else{
        mysqli_close($con);
        echo "100";
      }
    }
  }
}
}

//{ change:"yes" , user: term, cpass: curPass, npass:newPass} );
if(isset($_POST['change'])&& isset($_POST['user']) && isset($_POST['cpass']) && isset($_POST['npass'])){
  if($_POST['change']=="yes"){
    $result = mysqli_query($con,"SELECT password FROM members where username='".$_POST['user']."'") or die(mysqli_error($con));
    $rowdata = mysqli_fetch_array($result);
    if (md5($_POST['cpass']) == $rowdata['password']) {   
      $newPass = md5($_POST['npass']);
      $adduser_query="UPDATE members SET password='".$newPass."' WHERE username='".$_POST['user']."';";
      if(!mysqli_query($con,$adduser_query)) {
                //  die('Error: '.mysqli_error($con)) ;
        echo "499";
      }else{
        mysqli_close($con);
        echo "100";
      }
    }else{
      echo "Current password is wrong";
    }
  }
}


if(isset($_POST['userdata']) && $_POST['userdata']=="yes"){
 $content = "";
 $result = mysqli_query($con,"SELECT DISTINCT username FROM members") or die(mysqli_error($con));
 while($rowdata=mysqli_fetch_array($result)){
  $content =  $content."|".$rowdata['username'];
}
echo $content;
}


?>